[Exherbo-dev] [Exherbo Security] Package Distfile Signing Proposal

Ciaran McCreesh ciaran.mccreesh at googlemail.com
Thu May 10 16:07:46 UTC 2012


On Thu, 10 May 2012 18:03:37 +0200
"Jason A. Donenfeld" <Jason at zx2c4.com> wrote:
> On Thu, May 10, 2012 at 5:56 PM, Ciaran McCreesh
> <ciaran.mccreesh at googlemail.com> wrote:
> > We can't modify exhereses programatically. If it's going to be
> > parsed, it has to be in a dedicated file with a well defined format.
> 
> Yea... I thought you would say this. The conclusion of that statement
> leads to a manifest-like situation, I guess.
> 
> But maybe it's not necessary. Sha1s are very unique long weird
> strings. A find and replace on this is nearly guaranteed to be okay.

You don't even know which file to look in to do that replacement.

Also. No parsing bash!

> I know, though, that that doesn't sit right and lacks a general
> feeling of correctness. But view it this way --
> 
> A tool that does these updates does not need to be an officially
> supported built-in method of doing things. It could be a very simple
> bash script that calls the cave commands to get the current sha1s,
> calls the cave commands to do the fetching, and then runs sed.
> Something simple, where you wouldn't call it a "official tool for
> dealing with exheres", but just a common routine developers tend to
> use to update things.

No parsing bash! No even suggesting people try parsing bash! No changes
that might make it easier for people to try to parse bash!

> Or we can move the discussion in the manifest direction; I don't know.

No parsing bash!

-- 
Ciaran McCreesh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.exherbo.org/pipermail/exherbo-dev/attachments/20120510/81ded7f7/attachment.asc>


More information about the Exherbo-dev mailing list